Thursday, February 7, 2013

How to automatically chroot jail selected ssh user logins

1. Introduction

In this article we will look on how to automatically chroot jail
selected user ssh login based on the user group. This technique can be
quite useful if you what your user to be provided with a limited system
environment and at the same time keep them separate from your main
system. You can also use this technique to create a simple ssh honeypot.
In this tutorial you will learn how to create a basic chroot
environment and how to configure your main system's sshd to
automatically chroot jail selected users upon the ssh login.

2. Creating basic chroot environment

First we need to create a simple chroot environment. Our chroot
environment will consist of a bash shell. To do this, first, we need to
create a chroot directory:

# mkdir /var/chroot

In the next step, we need to copy the bash binary and its all shared library dependencies. You can see the bash's shared library dependencies by executing the ldd command:

From the above you can see that bash is ready but there is not much to do as not even ls command
is available. Rather then manually copy all commands and required
libraries I have created a simple bash script to aid with this purpose.
Create a script with the following content:

By default the above script will create chroot in /var/chroot as
defined by the $CHROOT variable. Feel free to change this variable
according to your needs. When ready, make the script executable and run
it with the file full path to your executables and files you wish to
include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above chroot.sh script:

4. Configure sshd for chroot jail

All what remains is to configure sshd to automaticaly redirect all
users from the chrootjail usergroup to the chroot jail at /var/chroot.
This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:

5. Login to chroot jail using ssh

6. Conclusion

As you can see setting the ssh chroot jail is a fairly simple
process. If a user does not have its home user directory available in a
chroot jail after login s/he will end up in /. You can create and
further configure your chroot by creating a user home directory,
defining bash environment, etc.
Make sure you tune in to our RSS and Linux jobs portal to stay informed about the latest opportunities in the field. Also visit our Linux Forum if you want to share your Linux experiences with us or require additional help.